1 |
Hi All, |
2 |
|
3 |
Thanks to Daniel Robbins and his articles I've got the following basic |
4 |
script working on one of my boxes: |
5 |
======================== |
6 |
#(connection to the Internet) |
7 |
|
8 |
UPLINK="eth0" |
9 |
|
10 |
#if you're a router (and thus should forward IP packets between interfaces), |
11 |
#you want ROUTER="yes"; otherwise, ROUTER="no" |
12 |
|
13 |
ROUTER="no" |
14 |
|
15 |
#change this next line to the static IP of your uplink interface for static |
16 |
SNAT, or |
17 |
#"dynamic" if you have a dynamic IP. If you don't need any NAT, set NAT to |
18 |
"" to |
19 |
#disable it. |
20 |
|
21 |
NAT="" |
22 |
#change this next line so it lists all your network interfaces, including lo |
23 |
|
24 |
INTERFACES="lo eth0 ppp0" |
25 |
|
26 |
if [ "$1" = "start" ] |
27 |
then |
28 |
echo "Starting firewall..." |
29 |
iptables -P INPUT DROP |
30 |
iptables -A INPUT -i ! ${UPLINK} -j ACCEPT |
31 |
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
32 |
iptables -A INPUT -p tcp -i ${UPLINK} -j DROP |
33 |
#for testing use: REJECT --reject-with tcp-reset |
34 |
iptables -A INPUT -p udp -i ${UPLINK} -j DROP |
35 |
#for testing use: REJECT --reject-with icmp-port-unreachable |
36 |
|
37 |
# #explicitly disable ECN |
38 |
# if [ -e /proc/sys/net/ipv4/tcp_ecn ] |
39 |
# then |
40 |
# echo 0 > /proc/sys/net/ipv4/tcp_ecn |
41 |
# fi |
42 |
|
43 |
# #disable spoofing on all interfaces |
44 |
# for x in ${INTERFACES} |
45 |
# do |
46 |
# echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter |
47 |
# done |
48 |
|
49 |
if [ "$ROUTER" = "yes" ] |
50 |
then |
51 |
#we're a router of some kind, enable IP forwarding |
52 |
echo 1 > /proc/sys/net/ipv4/ip_forward |
53 |
if [ "$NAT" = "dynamic" ] |
54 |
then |
55 |
#dynamic IP address, use masquerading |
56 |
echo "Enabling masquerading (dynamic ip)..." |
57 |
iptables -t nat -A POSTROUTING -o ${UPLINK} -j |
58 |
MASQUERADE |
59 |
elif [ "$NAT" != "" ] |
60 |
then |
61 |
#static IP, use SNAT |
62 |
echo "Enabling SNAT (static ip)..." |
63 |
iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT |
64 |
--to ${UPIP} |
65 |
fi |
66 |
fi |
67 |
|
68 |
|
69 |
elif [ "$1" = "stop" ] |
70 |
then |
71 |
echo "Stopping firewall..." |
72 |
iptables -F INPUT |
73 |
iptables -P INPUT ACCEPT |
74 |
#turn off NAT/masquerading, if any |
75 |
iptables -t nat -F POSTROUTING |
76 |
fi |
77 |
======================== |
78 |
|
79 |
nmap shows me that it works okay, but of course that's only on eth0, which |
80 |
is the only NIC on this box and connects to an ADSL hardware router. |
81 |
|
82 |
No matter what I tried I have not managed to make the script work for the |
83 |
ppp0 interface. Am I supposed to duplicate all the iptables lines and |
84 |
define ppp0 instead of eth0? Is there a clever modification I could used |
85 |
on the above script to get the same result? |
86 |
|
87 |
On a different but broadly relevant topic - are there any specific sysctl |
88 |
and iptables settings I need to get google talk/gaim/kopete working? |
89 |
-- |
90 |
Regards, |
91 |
Mick |
92 |
|
93 |
-- |
94 |
gentoo-user@g.o mailing list |